Microsoft Defender for Identity Will Check for Insecure Domain Configurations -- Redmondmag.com

Microsoft Defender for Identity Will Check for Insecure Domain Configurations

By Kurt Mackie
06/23/2022

Microsoft Defender for Identity is getting the ability to detect insecure domain configurations, even when they are Microsoft's defaults.

Two assessments were described in Microsoft's Thursday announcement. Both are related to insecure default Active Directory configurations that are subject to Kerberos resource-based constrained delegation relay attacks, which Microsoft described last month.

Microsoft had described these vulnerabilities after the publication of the "KrbRelayUp" hacking tool created by security researcher Mor Davidovich, demonstrating a way to obtain system privileges. Computing environments using Active Directory, with or without Azure AD synchronization, are potentially vulnerable to such attacks, Microsoft had explained.

Microsoft Defender for Identity is getting the ability to detect two default configurations subject to the Kerberos resource-based constrained delegation relay attacks. One of them concerns "Set ms-DS-MachineAccountQuota," which, in its default setting is set to "10." It could allow attackers to set up to 10 accounts on an exploited network. Microsoft last month recommend it be set to "0," which will limit "the ability of non-privileged users to register devices in domain."

The other detection capability concerns default configurations with the Lightweight Directory Access Protocol (LDAP) channel binding on Active Directory domain controllers. Microsoft recommended turning on the "Require signing" LDAP policy setting because "unsigned network traffic is susceptible to man-in-the-middle attacks."

The detection for Set ms-DS-MachineAccountQuota is now in effect for Microsoft Defender for Identity users. The LDAP configuration detection "will be available in the next two weeks," the announcement indicated.

The announcement just concerned the detections, which will show up in the Secure Score section of the Microsoft 365 Defender portal. The announcement didn't describe making the changes, which apparently IT pros should carry out manually, even though they would be changing Microsoft's default configurations.

However, the good news is that Microsoft will be adding security posture configuration detections more generally to its Microsoft Defender for Identity product.

"We are working on adding more configurations to this Defender for Identity security posture assessments to help customers proactively secure their environments from exploitation, stay tuned!" the announcement indicated.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Multi-Tenant Organization Hooks Released for Microsoft 365

Microsoft Entra ID's new multi-tenant organization capabilities have reached general availability (GA).
Real-World Ransomware Recovery

Here's how I was (mostly) successful in recovering a family PC infected with malware.
Microsoft Launches Small AI Models Family Phi-3

Recognizing that bigger isn't always better, Microsoft has released its smallest open AI models to date, Phi-3.
Microsoft and OpenAI Continue Global AI Expansions

Microsoft and OpenAI each continued their global expansion this month, with the announcements of new infrastructure investments and service rollouts in new regions, like Asia and the Middle East.
Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.